2012-06-07

A few folks asked how I put together the password hash checker yesterday. Understand that I was sick and in bed most of the day, and did most of this from my Motorola Droid 4. It was really ugly.
A local KC2600'er found a link to the hash dump on a shady Russian website. If you really want the dump of hashes and haven't found it yet, look for combo_not.zip and/or combo_not.txt. I downloaded the file via wget on one of my OpenBSD web servers.
The text file was likely made from a Windows environment because it has telltale CR/LF line breaks. The first thing I did was fix the line breaks with sed. This cute little one-liner replaces all CR/LF line breaks with traditional UNIX line breaks so that command-line wizardry will work on it.

sed -i "" 's/.$//' combo_not.txt

Then, I figured I should cram it all into MySQL to make queries against the data less of a pain in the ass. I created a database and user named lihash, then created the DB with only an auto-incrementing ID and a hash column:

It took several minutes to munch through the data and created many megabytes of MySQL binary logs. While that was processing, I scoured the web looking for a decent javascript SHA-1 hashing method so that I didn't have to worry about handling peoples' passwords via my site. You can simply view the source of this page to see how that works. It was mostly copypasta.
Finally, there's the PHP that drives it on the back-end. You can see the PHP Source HERE. When I was testing, I had it displaying the hash that was passed. I got rid of that part to keep XSS shenanigans at bay. I'm probably doing all sorts of things wrong with the SQL queries, but I copied some of that database code from another project on that server (I was using a phone for this, remember?)

2012-06-06

By now, you may have heard that a list of 6.5 million hashes have been posted to the Internet, and that they appear to be password hashes from LinkedIn. CNet has some of the deets, but there's a great thread on YCombinator Hacker News where some observations are made. Namely, SHA1 hashes for easily-guessed passwords (such as "linkedin" or "password") do not show up in the list, but if you replace the first five characters of the hash with "00000", then hashes do match for simple passwords. This leads to speculation that the attackers have already cracked some of the easy ones and truncated them in the list.

I've made a really quick and dirty web page that will help you check if your password is on the list. It features a nifty javascript SHA-1 digest hash generator so that the password you check never gets sent over cleartext. It will check hash and truncated hash against the dump. If it detects the entire hash, then your LinkedIn password hash is now in the wild, and it's likely only a matter of time until it's cracked. If the truncated version is in the password dump, it's almost certain your password is compromised.

HiR Featured Columns

HiR Tools

HiR Categories

About HiR

HiR is what happens when 1990s-era e-Zine writers decide to form a blog. Most of us hail from the Great Plains region of the United States.

Ax0n, HiR founder and editor-in-chief is an information security specialist currently working in the luxury goods industry.

Asmodian X joined HiR in December 1997 and currently works as a web developer and SysAdmin in the education industry.

Frogman has been on board since May 1998 and has many technical passions. When not experimenting with obscure hardware, he can be found leaping from one rooftop to the next, making the world his office.

TMiB has also been helping since 1998. Also our resident Physicist and go-to guy for xkcd jokes we don't get, The Man in Black currently works in the Internet industry in an east-coast data center.